Is Skype Safe for Attorney-Client Communication?

If you’ve been a casual user of Skype, you probably don’t have—and don’t need to have—much of a sense of what goes on behind the scenes. It allows you to make phone and video calls from your computer, and you know it works over the internet in some fashion.

There’s a long and thorny and hyper-technical story behind how Skype works. In brief, Skype used to be peer-to-peer, which meant that your computer, by and large, talked directly to the computer of the other person during your Skype conversation. People assumed that would be private, but it really wasn’t.

The Microsoft-owned service regularly scans message contents for signs of fraud, and company managers may log the results indefinitely, Ars [Technica] has confirmed. And this can only happen if Microsoft can convert the messages into human-readable form at will. […]

Ars used Skype to send four Web links that were created solely for purposes of this article. Two of them were never clicked on, but the other two—one beginning in HTTP link and the other HTTPS—were accessed by a machine at 65.52.100.214, an IP address belonging to Microsoft.

Skype started to grow out of its peer-to-peer backend a few years ago, not because Microsoft suddenly became interested in maximizing privacy, but because we stopped being tethered to our desktops, and that communication protocol relied on always-connected desktops. Now, Microsoft is shifting to having Skype run entirely in the cloud.

In and of itself, this isn’t a bad idea. Having everything in the cloud allows Skype to run like a combination of Dropbox and an answering service, basically.

File transfers on the new network go via the cloud, allowing fire-and-forget transfers, even to recipients that are temporarily away. This also allows a file to be downloaded by multiple recipients, or by the same recipient on multiple systems, without needing it to be retransmitted from the sender each time. The new voice and video messaging capabilities operate similarly, using cloud storage to hold voice and video messages even when the receiving client isn’t available.

So far, so good. And there’s nothing inherently more or less secure in moving to the cloud, but it is a problem when Microsoft’s move doesn’t seem to include encryption–or maybe it does. No one knows.

Microsoft has been consistently silent on this. The Skype protocol remains undocumented and proprietary; we do not authoritatively know where and how encryption is used or what the limits of the system are.

So, with all that, should you stop using Skype? Perhaps, but not because it moved to the cloud. There are other messenger/calling applications like Facebook Messenger, WhatsApp, and iMessage that offer end-to-end encryption, where your data is encrypted while it travels to your recipient and vice versa.

Communicating with your clients without that end-to-end encryption does expose them to more risk that their messages or identity can be compromised. The ABA issued an ethics opinion saying that if there was a significant risk a third party might gain access to your client’s email communications, you have a duty to warn your client about that risk. While that opinion didn’t address video calling or messaging apps, there’s no reason to presume that the ethical duty shouldn’t extend to all forms of electronic communication.

Skype is probably just fine for a “getting-to-know-you” sort of chat where you’re not exchanging sensitive information. But if you need a secure communication channel, there are better choices.